Letsencrypt on Ubuntu for ERPNext and Frappe

This is a continuation of ( https://cloud.erpgulf.com/blog/support-forum/installing-erpnext-version-14-on-ubuntu-22+ ) and part of a series. The explanation can be seen on Youtube.com/ERPGulf

 · 2 min read

Let's do Letsencrypt for ERPNext now


This article is a continuation of https://cloud.erpgulf.com/blog/blogs/erpnext-version-14-install-in-production-mode-nginx-supervirso-gunicorn



    sudo service nginx stop

  1. sudo apt install certbot -y
  2. sudo apt install certbot python3-certbot-nginx
  3. sudo certbot certonly -a nginx -d yoursite.example.com   (  You may get "unknown log format "main" at this stage. Please read the footnote to resolve this )


You will get message like this

Congratulations! Your certificate and chain have been saved at:

 /etc/letsencrypt/live/example.com/fullchain.pem


Now you have certificate here in this folder /etc/letsencrypt/live/


Edit nginx configuration file. In our case /etc/nginx/conf.d/frappe-bench.conf


Goto the server section, change port 80 to 443 ( or whatever port you want )

Below added/edited lines are in GREEN letters below that violet line


server {

    listen 443 ssl;



    server_name

        yoursite.example.com

        ;


    root /opt/bench/frappe-bench/sites;



    ssl_certificate   /etc/letsencrypt/live/yoursite.example.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/yoursite.example.com/privkey.pem;

    ssl_session_timeout 5m;

    ssl_session_cache shared:SSL:10m;

    ssl_session_tickets off;

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

    ssl_ecdh_curve secp384r1;

    ssl_prefer_server_ciphers on;



    add_header X-Frame-Options "SAMEORIGIN";

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    add_header X-Content-Type-Options nosniff;

    add_header X-XSS-Protection "1; mode=block";


Restart nginx

service nginx restart


Now you have an https site.


You can see here the full file for nginx/frappe https://github.com/ERPGulf/docs/blob/main/frappe-bench.conf

Also you need forwarders to forward from http to https and/or cut www part. It is here. put it on conf.d folder https://github.com/ERPGulf/docs/blob/main/redirect.conf


Next part is making sure letsencrypt get renewed every three months.



crontab -e

add this line

15 3 * * * /usr/bin/certbot -a nginx renew --quiet


vim /etc/letsencrypt/cli.ini

add this line deploy-hook = systemctl reload nginx


You can use this command to make sure

  1. sudo systemctl status certbot.timer

It should report " Started Run certbot twice daily "


Try a dry-run for renewal. You should get a "Congratulations" message.

  1. sudo certbot -a nginx renew --dry-run 

 

Happy hosting.


Let us know your feedback


Add another site on the same ERPNext server https://cloud.erpgulf.com/blog/linux-and-cloud/adding-antoher-site-on-ubuntu-22-erpnext-14


------------------------------

Note 1: *

If you face problem with nginx because of log type error ( log type main not found or something like that )


sudo vim /etc/nginx/nginx.conf and add following on http section.


log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

-----------------------


Published on
Team ERPGulf

The team behind ERPGulf blogs here, expresses their thoughts, shares the experience, often show the frustrations. Contact us on support@ERPGulf.com

4 comments
Foram Shah March 18, 2024

Hello Everyone,

I am trying to link the SSL Certificate to my bench. I have a bench of the 15th version.

{ “dbname”: “dbname”, “dbpassword”: “dbpassword”, “dbtype”: “mariadb”, “encryptionkey”: “key”, “serverscriptenabled”: 1, “usertypedoctypelimit”: { “employeeselfservice”: 30 }, “domains”: [ { “domain”: “subdomain.domain.ai”, “sslcertificate”: “/home/pc/Documents/Certificate/subdomain.domain.ai.crt”, “sslcertificatekey”: “/home/pc/Documents/Certificate/subdomain.domain.ai.key” } ] }

This is my site_config.json.

I have a certificate that has been purchased from the emsign, I don’t want to create a new one with Let’s Encrypt.

Please guide me on how to configure the certificate.

Nay January 3, 2024

THANK YOU SIR. This series saved me hours of frustration (worked with current v15 and Python 3.11)!

Yenten December 26, 2023

This is a great tutorial with clear instructions in yutube video. I have been searching for how to install ssl in custom port other than port 443. It's helps me lots. Thank you sir.

Administrator August 29, 2022

ERPNextTips

Cerbot maynot work in python 3.10
So do the following step. vim /usr/bin/certbot change the line #!/usr/bin/python3 to: #!/usr/bin/python3.8

Add Comment